topic Re: index time extraction in Splunk Search

index time extraction

aab5272 — Wed, 19 Jul 2017 02:28:09 GMT

I have to discard keyvalue pair from a event to null queue during index time extraction .Also there are certain key value pairs that i want to extract using Extract .My extract in props.conf is working file but the transform is not working .
here is the configuration:-

props.conf

TRANSFORM-null = setnull

transforms.conf

[setnull]
[ignore]
REGEX = cs\d+Label\=(.*?(?=(?:\s[\w.:\[\]]+=|$)))
REPEAT_MATCH = True
DEST_Key=queue
FORMAT=nullQueue

for belo kind of keyvalue pair is sending the whole event to nullQueue

cs5Label=EventId

Any solution?

Re: index time extraction

MuS — Wed, 19 Jul 2017 03:52:12 GMT

You should edit your post and use for config file content the little Code 101010 button or select the text and press CTRL-K this will keep everything as code.

Like your [setnull] stanza is empty, is that lost because of the formatting or is there actually nothing?

cheers, MuS

Re: index time extraction

aab5272 — Tue, 29 Sep 2020 14:56:25 GMT

consider below configuration.

props.conf

TRANSFORM-null = setnull

transforms.conf

[setnull]
REGEX = cs\d+Label=(.*?(?=(?:\s[\w.:[]]+=|$)))
REPEAT_MATCH = True
DEST_Key=queue
FORMAT=nullQueue

for below kind of keyvalue pair is sending the whole event to nullQueue

cs5Label=EventId

Any solution?

Re: index time extraction

woodcock — Tue, 25 Jul 2017 00:37:20 GMT

This is still broken. I have reformatted your code block in your original text. Go back in and DO NOT change the indenting but check/fix the character strings.

Re: index time extraction

jkat54 — Tue, 25 Jul 2017 01:32:53 GMT

In props.conf you've got the wrong key:

TRANSFORM-null = setnull

Should be

TRANSFORMS-null = setnull

I did the same thing about a month ago and I lost 4 hours of my life or more... vowed never to forget it again and so I spotted it right away on your post.